Richard Bejtlich's blog on digital security, strategic thought, and military history.

Thursday, November 04, 2004

Thoughts on Source Code Club

You may have seen the post to full-disclosure two days ago announcing the availability of Cisco Pix source code at the Google group alt.gap.international.sales. The press has picked up the story; PCWorld's article is one example. Essentially a group calling itself the Source Code Club (SCC) is offering the source code for Cisco's firewall, the Pix, version 6.3(1), dating from March 2003, for US $24,000. The latest is 6.3(4), dating from July 2004. SCC is also "selling" source code of Enterasys Dragon IDS and Napster.

This story reinforces the idea that proprietary software isn't necessarily more "secure" because the source code "isn't available." How many other applications or operating systems are being traded or sold on the Internet? I'm guessing the SCC group is only the tip of the iceberg. I wonder, however, why they don't sell their wares in a completely private manner. They may be getting greedy and think that something like Pix source code has a broader appeal. I think SCC is setting itself up for a meeting with law enforcement at some point!